… | |
… | |
281 | </dd> |
281 | </dd> |
282 | <p></p> |
282 | <p></p> |
283 | <dt><strong><a name="item_i_need_to_make_it_setuid_2fsetgid_to_support_utmp_">I need to make it setuid/setgid to support utmp/ptys on my OS, is this safe?</a></strong><br /> |
283 | <dt><strong><a name="item_i_need_to_make_it_setuid_2fsetgid_to_support_utmp_">I need to make it setuid/setgid to support utmp/ptys on my OS, is this safe?</a></strong><br /> |
284 | </dt> |
284 | </dt> |
285 | <dd> |
285 | <dd> |
286 | Likely not. While I honestly try to make it secure, and am probably not |
286 | It should be, starting with release 7.1. You are encouraged to properly |
287 | bad at it, I think it is simply unreasonable to expect all of freetype |
287 | install urxvt with privileges necessary for your OS now. |
288 | + fontconfig + xft + xlib + perl + ... + rxvt-unicode itself to all be |
|
|
289 | secure. Also, rxvt-unicode disables some options when it detects that it |
|
|
290 | runs setuid or setgid, which is not nice. Besides, with the embedded perl |
|
|
291 | interpreter the possibility for security problems easily multiplies. |
|
|
292 | </dd> |
|
|
293 | <dd> |
288 | </dd> |
294 | <p>Elevated privileges are only required for utmp and pty operations on some |
|
|
295 | systems (for example, GNU/Linux doesn't need any extra privileges for |
|
|
296 | ptys, but some need it for utmp support). It is planned to mvoe this into |
|
|
297 | a forked handler process, but this is not yet done.</p> |
|
|
298 | </dd> |
289 | <dd> |
|
|
290 | <p>When rxvt-unicode detects that it runs setuid or setgid, it will fork |
|
|
291 | into a helper process for privileged operations (pty handling on some |
|
|
292 | systems, utmp/wtmp/lastlog handling on others) and drop privileges |
|
|
293 | immediately. This is much safer than most other terminals that keep |
|
|
294 | privileges while running (but is more relevant to urxvt, as it contains |
|
|
295 | things as perl interpreters, which might be ``helpful'' to attackers).</p> |
299 | <dd> |
296 | </dd> |
300 | <p>So, while setuid/setgid operation is supported and not a problem on your |
297 | <dd> |
301 | typical single-user-no-other-logins unix desktop, always remember that |
298 | <p>This forking is done as the very first within main(), which is very early |
302 | its an awful lot of code, most of which isn't checked for security issues |
299 | and reduces possible bugs to initialisation code run before main(), or |
303 | regularly.</p> |
300 | things like the dynamic loader of your system, which should result in very |
|
|
301 | little risk.</p> |
304 | </dd> |
302 | </dd> |
305 | <p></p> |
303 | <p></p> |
306 | <dt><strong><a name="item_when_i_log_2din_to_another_system_it_tells_me_abou">When I log-in to another system it tells me about missing terminfo data?</a></strong><br /> |
304 | <dt><strong><a name="item_when_i_log_2din_to_another_system_it_tells_me_abou">When I log-in to another system it tells me about missing terminfo data?</a></strong><br /> |
307 | </dt> |
305 | </dt> |
308 | <dd> |
306 | <dd> |
… | |
… | |
2360 | Add support for a very unobtrusive, plain-looking scrollbar that |
2358 | Add support for a very unobtrusive, plain-looking scrollbar that |
2361 | is the favourite of the rxvt-unicode author, having used it for |
2359 | is the favourite of the rxvt-unicode author, having used it for |
2362 | many years. |
2360 | many years. |
2363 | </dd> |
2361 | </dd> |
2364 | <p></p> |
2362 | <p></p> |
2365 | <dt><strong><a name="item_shadow">--enable-half-shadow (default: off)</a></strong><br /> |
|
|
2366 | </dt> |
|
|
2367 | <dd> |
|
|
2368 | Make shadows on the scrollbar only half the normal width & height. |
|
|
2369 | only applicable to rxvt scrollbars. |
|
|
2370 | </dd> |
|
|
2371 | <p></p> |
|
|
2372 | <dt><strong><a name="item_ttygid">--enable-ttygid (default: off)</a></strong><br /> |
2363 | <dt><strong><a name="item_ttygid">--enable-ttygid (default: off)</a></strong><br /> |
2373 | </dt> |
2364 | </dt> |
2374 | <dd> |
2365 | <dd> |
2375 | Change tty device setting to group ``tty'' - only use this if |
2366 | Change tty device setting to group ``tty'' - only use this if |
2376 | your system uses this type of security. |
2367 | your system uses this type of security. |